Home > Tips > How to Connect to Your FreeNAS Server via SSH Without A Password; Password Free Logins via Public Key Authentication

How to Connect to Your FreeNAS Server via SSH Without A Password; Password Free Logins via Public Key Authentication

July 22nd, 2009

If you connect to your FreeNAS server often with SSH or want to run rsync via SSH then it can be very useful to setup what is called public key authentication. In public key authentication rather than using a password to grant access the SSH client and the SSH server exchange keys and so confirm the identity of the client.

The firs step is to make sure that you have a user with shell access. To check goto Access->Users and either edit and existing user or create a new user and make sure the “Shell access” box is ticked. You also need to be sure that the SSH server is running. Check this on the Services->SSH page.

Important:
SSH is very fussy about user permissions. If the home directory of your user isn’t owned by the user, SSH login with public key will fail. If you have this problem the SSH log will show something like Authentication refused: bad ownership or modes for directory /mnt/store. To fix this you need to create a directory beneath your mount point for that user, i.e. /mnt/store/bob and the Home directory needs to be set to this on the Access->Users page for that user.

In this example I will use OS X (it should be almost identical for Linux but for Windows users you will need to use PuTTY and PuTTYgen).

On the client machine open a terminal window and enter the command:

ssh-keygen -q -f ~/.ssh/id_rsa -t rsa

When prompted for a password just hit ENTER twice:

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

This will generate what is known as a private key and a public key. The private key must be kept save and secure and you must never distribute it in any form whatsoever. However the public key is for public consumption and this is what we will copy over to the FreeNAS server.

So to copy the public key to the FreeNAS server, user the following command:

scp ~/.ssh/id_rsa.pub bob@192.168.1.250:

Where bob is the username with shell access and 192.168.1.250 is the address of your FreeNAS machine.

When prompted for the password enter it:

bob@192.168.1.32’s password:
id_rsa.pub 100% 402 0.4KB/s 00:00

Now login to your FreeNAS machine using SSH:

ssh -l bob 192.168.1.250

And enter the password when prompted.

Now the public key of your client machine needs to be added to the list of authorized clients that connect. To do this run the following commands:

cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
rm ~/id_rsa.pub

The first command will add the key to the list of authorized keys, the second will ensure that the permissions are set correct on that file and the third will delete the .pub file you copied over with the scp command as it is now longer needed.

And that is it. You can now logout and now connect again with SSH and it should connect directly without asking for a password.

Troubleshooting:
If you find that everything doesn’t work as planned they check the Diagnostics->Log page and select SSH from the drop downbox and see what is being logged.

Categories: Tips Tags:
  1. March 9th, 2010 at 21:09 | #1

    Thanks, very helpful article.

    It bears mentioning that to benefit from the improved security of using certificate based authentication you need to go into the web GUI to Services | SSH and untick “Enable keyboard-interactive authentication.”

    If you don’t disable password based logins you will have improved convenience but no better security. Technically it may be even worse as there are now two attack vectors!

    Also it is worth changing the default port if only as to spare your logs the constant barrage of failed brute force attempts. Strangely the command line argument for specifying a port is different between ssh (-p) and scp (-P), both choke if the wrong case is used, lord knows why that’s how it is on my Ubuntu box!

    Also, I found that I needed to manually create the users “.ssh folder” and “authorized_keys” file manually before the “cat ~/id_rsa.pub >> ~/.ssh/authorized_keys” line would work.

    Anyway, thanks again & keep up the good work 🙂

    Roger.

  2. Rafael
    June 27th, 2010 at 15:28 | #2

    Hello,
    Very thanks for tutorial.
    I´ desesperated with rsync + ssh + without password.
    Thanks

  3. Al
    January 3rd, 2011 at 15:06 | #3

    Why are you saying:

    “This will generate what is known as a private key and a public key. The private key must be kept save and secure and you must never distribute it in any form whatsoever. However the public key is for public consumption and this is what we will copy over to the FreeNAS server.”

    When the GUI of the freenas server in the SSH windows says PRIVATE KEY, but your instructions say copy public key???

    -Al

  4. rEnr3n
    July 29th, 2011 at 09:33 | #4

    This is my freenas structure but I still can’t do passwordless login:

    drwxr-xr-x 3 root wheel 512 Jul 29 09:54 /mnt
    drwxr-xr-x 4 root wheel 512 Jul 29 09:55 /mnt/mount
    drwx—— 4 admin admin 512 Jul 29 10:15 /mnt/mount/Data
    drwx—— 2 admin admin 512 Jul 29 10:10 /mnt/mount/Data/.ssh
    -rw——- 1 admin admin 399 Jul 29 10:10 /mnt/mount/Data/.ssh/authorized_keys

    I just get permission denied (publickey). But this is what I see in the log (Diagnostics|Log):
    SSH: Server;Ltype: Version;Remote: 192.168.2.11-xxxxx;Protocol: 2.0;Client: OpenSSH_5.8p1 Debian-1ubuntu3

    xxxxx = random port number

Comments are closed.